在权限判断时,如果一个请求需要身份认证,但没有认证,在这里拒绝请求
HttpBasic认证
认证信息(username,password)-> Base64加密(信息组合如:username:password 生成base64)->放入请求头(Authorization:作为key)(可支持很多请求头,因为是HttpBasic,所以请求头格式为:Basic 生成base64生成的串)
缺点:并非十分安全
演示实例
实现过滤器
核心代码,使用commons-lang3包下的StringUtils帮助类
@Component
public class BasicAutorizationFilter extends OncePerRequestFilter {
@Autowired
private UserRepository userRepository;
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
String authorization = httpServletRequest.getHeader("Authorization");
if(StringUtils.isNotBlank(authorization)){
String token64 = StringUtils.substringAfter(authorization, "Basic ");
String token=new String(Base64Utils.decodeFromString(token64));
String[] strs=StringUtils.splitByWholeSeparatorPreserveAllTokens(token,":");
String username=strs[0];
String password=strs[1];
User user = userRepository.findByUsername(username);
if(user!=null&&StringUtils.equals(password,user.getPassword())){
httpServletRequest.setAttribute("user",user);
}
}
filterChain.doFilter(httpServletRequest,httpServletResponse);
}
}
测试